Brazilian ISPs Hit with Large-Scale DNS Attack

Millions of people in Brazil have potentially been exposed to malware as a result of a nationwide DNS attack. Additionally, several organizations in Brazil are reporting that network devices are also under attack. After being compromised remotely, scores of routers and modems had their DNS settings altered to redirect traffic. Police have arrested a 27-year-old ISP employee who is suspected to have taken part in the attacks.

Brazil has some 73 million Web connected computers, with the top ISPs averaging 3-4 million customers each. “If a cybercriminal can change the DNS cache in just one server, the number of potential victims is huge,” said Kaspersky’s Fabio Assolini, who detailed the DNS attack in a report.

The attacks started last week, when millions of Brazilians were faced with redirections after accessing several popular local and international portals, including Google, YouTube, Uol, Terra, Globo, and Hotmail. In one case, Kaspersky observed a clean system being redirected from Google.com.br, to another destination after being told to install "Google Defence."

“It asks the customer to download and install the so-called 'Google Defence' software required to use the search engine. In reality, though, this file is a Trojan banker detected by Kaspersky’s heuristic engine. Research into this IP highlighted several malicious files and exploits hosted there,” Assolini added.

From monitoring its install base, Kaspersky noted 800 attempts to access the malicious server, which were thwarted by its security measures. The exact number of victims in this DNS attack are unknown, however.

Across the country, organizations are reporting that network devices were compromised and had their DNS settings changed to join the existing DNS attack. In those cases, when employees of the affected companies tried to open any website they were requested to execute a malicious Java applet, which installed the same malware as Google Defense.

“We advise all affected users to update antivirus and all software in the computer (such as Java), also change the DNS configuration to other providers (such as Google DNS). In attacks against network devices we also recommend updating the firmware of the router and changing the default passwords,” Assolini explained.

While the DNS attacks rampaged, Brazil’s Federal Police arrested a 27-year-old who was an employee of a medium-sized ISP in the southern part of the country.

“Brazil has long had issues like this with various actors attacking the DNS infrastructure to plant malware. These are typically not "classic" cache-poisoning attacks done with botnets in a Kaminsky-style attack. Rather, they are much more straight forward as Assolini's report implies,” Rod Rasmussen, President and CTO of IID told SecurityWeek.

“Someone at an ISP is complicit, there are default passwords on servers or known vulnerabilities on various premise equipment that criminals can then use to crack them," Rasmussen added. "Once they have access, they simply add bogus entries for lots of common domains to redirect users behind that equipment to the wrong site.”

It’s said that over a ten month period, the man arrested altered the DNS cache of his employer, which in turn directed all of its customers to the malicious server handing out the banking malware. Kaspersky suspects that similar internal compromises are happening across Brazil.

“Brazil has always stood a bit apart from the rest of the world in the way cyber-criminals operate and attack. Often times they precede other areas of the world by pioneering new techniques. For example, heavy use of malware tied to phishing was seen in Brazil for a couple years before it became popular elsewhere. Is this rash of DNS-based attacks a harbinger of things to come worldwide? Given the high effectiveness of the techniques, I would unfortunately predict that it is likely,” Rasmussen concluded.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.